CVE-2024-56374

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions cleanipv6address and isvalidipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)

References

Affected packages

Git / github.com/django/django

Affected ranges

Type

GIT

Repo

https://github.com/django/django

Events

Introduced

879e5d587b84e6fc961829611999431778eb9f6a

Fixed

a7b0e50eadba8f0420013605c70eb790280b0fd2

Introduced

52821001bb62b764d73e63812133f199b8fef9eb

Fixed

67bb624b2d3099aee4d8d8bca8a004111bfabfaa

Introduced

84d09a547fe35e10018ab242602ca76c29ca91a1

Fixed

3d3d7f5052edb99bafaa5a2f1a7dd5b968643727

Database specific

{
    "versions": [
        {
            "introduced": "4.2"
        },
        {
            "fixed": "4.2.18"
        },
        {
            "introduced": "5.0"
        },
        {
            "fixed": "5.0.11"
        },
        {
            "introduced": "5.1"
        },
        {
            "fixed": "5.1.5"
        }
    ]
}

Affected versions

4.*

4.2

4.2.1

4.2.10

4.2.11

4.2.12

4.2.13

4.2.14

4.2.15

4.2.16

4.2.17

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

stable/5.*

stable/5.1.x

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56374.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.0"
            }
        ]
    }
]